KADANT INC 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

KADANT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 15:11:57 EST.

Filings

10-K filed on 2024-02-27

KADANT INC filed an 10-K at 2024-02-27 15:11:57 EST
Accession Number: 0000886346-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We are regularly subject to attempted cyberattacks and other cyber incidents and, therefore, cybersecurity is an important element of our business and our overall enterprise risk management program. Like other global companies, we have experienced cyber threats and incidents, although none to date have been material or had a material adverse effect on our business or financial condition. We have a multilayered approach for assessing, identifying, preventing, evaluating, managing and monitoring cybersecurity risks, that is designed to help prevent such attacks and protect our information, systems, assets and operations from internal and external cyber threats and to help mitigate risks of cyber incidents. Our board of directors delegated authority to the risk oversight and sustainability committee to assist in fulfilling its oversight responsibilities with respect to management s identification, prevention, evaluation, management, and monitoring of our critical enterprise risks. The risk oversight and sustainability committee is briefed by our Head of Global IT or counsel on a quarterly basis regarding cybersecurity risks and mitigation strategies. We continually invest in efforts to protect, monitor, and mitigate cybersecurity risks, including through our robust information security function, training and compliance programs, and regular employee training. We devote significant resources to protecting the security of our computer systems, software, networks and other technology assets, and our cybersecurity risk management processes include physical, procedural and technical safeguards. Our cybersecurity policies, standards and procedures include incident response plans designed to help coordinate our response to cybersecurity incidents, and includes processes to triage, assess the severity of, escalate, contain, investigate, and remediate incidents. We seek to enhance our policies and practices to better protect our platform, adapt to changes in regulations, identify potential and emerging security risks and develop mitigations for those risks, including conducting cyber incident tabletop exercises with our management team. We engage external parties, including consultants, network security firms and other experts, to help us assess and enhance our cybersecurity oversight. For example, we have hired an external security vendor to conduct penetration and vulnerability testing on our networks and receive regular updates about industry cyber risks. In order to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we perform third-party risk assessments designed to help protect against the misuse of IT by third parties and business partners and generally request that third-party service providers provide us information about their security policies and procedures. We monitor security incidents involving our third-party providers and adjust our procedures as necessary. We do not believe that there have been or are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. Cybersecurity Governance and Oversight Our board of directors has delegated oversight of cybersecurity to the risk oversight and sustainability committee. The risk oversight and sustainability committee receives quarterly updates from management and provides feedback regarding cybersecurity, including updates regarding recent incidents in the industry and the cyber threat landscape, and is notified 21 Table of Contents Kadant Inc. between such updates regarding significant new cybersecurity threats or incidents as necessary. The board of directors receives regular reports from the risk oversight and sustainability committee. We have a Head of Global IT whose global information security team (IT Security Team) is responsible for leading organization-wide cybersecurity strategy, policy, standards and processes and works across relevant operating entities to assess and prepare us to address cybersecurity risks. Our Head of Global IT and IT Security Team perform due diligence on the IT security systems and processes of all potential acquisition targets, and newly acquired companies are not permitted access into our IT networks or systems until they have met the necessary security standards. The Head of Global IT’s cybersecurity experience includes managing the network, infrastructure security and a cyber security team of a global consumer products company with a heavy online presence and with sales of services and goods to the U.S. government. In addition, our IT Security Team consists of employees that have security certifications from reputable cybersecurity training organizations, including CompTIA, and over 20 years of combined infrastructure architecture experience, including PCI, SOC1 and SOC2 level compliance. We have also established a cross-functional Corporate Incident Response Team (CIRT) led by our General Counsel and consisting of various leaders, including our Head of Global IT, that is responsible for coordinating our response to cybersecurity incidents that present significant risk to us. The board of directors will be notified if the CIRT has been activated and provided periodic updates concerning the incident. In an effort to deter and detect cyber threats, we require all employees who use an official company email account to conduct business to complete regular trainings on data protection, cybersecurity, incident response and prevention, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks.

Company Information